CN101820383B - Method and device for restricting remote access of switcher - Google Patents
Method and device for restricting remote access of switcher Download PDFInfo
- Publication number
- CN101820383B CN101820383B CN201010101673.8A CN201010101673A CN101820383B CN 101820383 B CN101820383 B CN 101820383B CN 201010101673 A CN201010101673 A CN 201010101673A CN 101820383 B CN101820383 B CN 101820383B
- Authority
- CN
- China
- Prior art keywords
- acl
- address
- data packet
- switch
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a method and a device for restricting remote access of a switcher. The method of the invention comprises the following steps: carrying out matching treatment on data packet messages received by the preset port of the switcher by utilizing the first access control list (ACL) of the switcher; transferring the matched data packet messages data packet message contents of which are fully identical with fields configured in the first ACL to the CPU of the switcher for processing; or transferring the mismatched data packet messages data packet message contents of which are different from the fields configured in the first ACL to the global ACL taking effect at all ports of the switcher for processing. In the invention, the ACL used on the switcher or other network equipment is used for preventing the flow of the CPU from being illegally accessed, thereby reducing the occupancy rate of CPU resources and reducing the requirement for the CPU processing capacity of network equipment.
Description
Technical field
The present invention relates to Data Communication in Computer Networks, method and the device of overall ACL (Access Control List (ACL)) restricting remote access of switcher of particularly realizing based on asic chip.
Background technology
Along with the development of data communication network, the application of Ethernet switch is more and more extensive, but due to Ethernet exchanging machine equipment very many (especially Access Layer low side devices), how to facilitate equipment is carried out to telemanagement the becoming a difficult problem of safety.Conventional remote access technology, comprises telnet, snmp, the technology such as web, are only confined to user name, cipher mechanism to remote access security control, and the remote access technology of traditional restriction is normally filtered based on credible IPv4 address list, there is certain limitation.If source address is forged, can obtain equally the access right to switch.And the ACL realizing with software mode, conventionally need to safeguard the chained list of a legal IPv4 address in internal memory the inside, in the time that packet is given CPU processing, parse packet source IP address, do bit arithmetic with mask, judge that this address whether in legal address realm, do not do discard processing to packet in legal range.The calculation resources of CPU is caused to certain waste.The high-speed data that a lot of Ethernet switches have used asic chip to realize forwards, most exchange chip all has the functions such as VLAN division, Access Control List (ACL) (ACL), but what ACL limited conventionally is the data flow being forwarded by asic chip in network, generally can not limit the protocol streams of access CPU.
Summary of the invention
The object of this invention is to provide a kind of method of overall ACL restriction switch or the access of other network apparatus remotes; for utilize the flow of the Access Control List (ACL) prevention unauthorized access CPU using on switch or other network equipments, to protect switch or other network equipments.
Another object of the present invention is to provide the device of a kind of overall ACL restriction switch or the access of other network apparatus remotes; for utilize the flow of the Access Control List (ACL) prevention unauthorized access CPU using on switch or other network equipments, to protect switch or other network equipments.
According to first aspect present invention, the method for overall ACL (Access Control List (ACL)) restricting remote access of switcher comprises the following steps:
The data packet messages of utilizing an ACL of switch to receive switch predetermined port is carried out matching treatment;
Transfer to switch CPU to process the identical matched data packet voice of field configuring in data packet messages content and an ACL; Or
Transfer to the overall ACL coming into force at switch all of the port to process mismatch data packet voice not identical with the field configuring in an ACL data packet messages content.
The processing that wherein said overall ACL carries out comprises: if the object IP address of described mismatch data packet voice, target MAC (Media Access Control) address and destination slogan are identical with the respective field configuring in overall ACL, make discard processing; If the object IP address of described mismatch data packet voice or destination slogan are not identical with the respective field configuring in overall ACL, and be protocol massages, transfer to switch CPU to process described mismatch data packet voice.
Wherein, for the data packet messages of repeatedly inputting user cipher, utilize the 2nd ACL to carry out matching treatment, the data packet messages that packet discard message content mates completely with the field configuring in the 2nd ACL.
The field configuring in a wherein said ACL comprises: source IP address, object IP address, source MAC, target MAC (Media Access Control) address, VLAN id (VLAN ID) and destination slogan, wherein source IP address and source MAC are that remote synchronization is come, and object IP address, target MAC (Media Access Control) address, VLAN id and destination slogan are the intrinsic configurations of switch.
Wherein switch timing is to source IP address and the source MAC of the synchronous remote access message of preassigned gateway in network, then by VLANid, object IP address, target MAC (Media Access Control) address, port numbers in the Hash storage list of the source IP address of synchronously coming, source MAC and switch are combined and obtain synchronizeing configuring, and calculate synchronous configuration index.
Wherein switch compares the ACL index calculating according to the object source IP address, object IP address, source MAC, target MAC (Media Access Control) address, VLAN id and the destination slogan that configure in an ACL of correspondence with the described configuration index of synchronizeing, and carries out following operation according to comparative result:
If synchronous configuration index is identical with an ACL index, keep a corresponding ACL;
If synchronous configuration index is different from an ACL index, change a corresponding ACL.
Wherein, when synchronous configuration index is from a corresponding ACL index when different, switch is carried out following operation:
If synchronous source IP addresses excessively and source MAC are the source addresses of a new data packets message, by copy described synchronous configuration on switch Hash storage list, add the ACL about described new data packets message, and bind it on port;
Crossing source IP addresses and source MAC if synchronous is empty, removes corresponding ACL binding from port, then deletes this corresponding ACL from the asic chip of switch.
According to second aspect present invention, the device of overall ACL restricting remote access of switcher comprises:
Matching treatment module, carries out matching treatment for the data packet messages of utilizing switch the one ACL to receive switch predetermined port;
Matched data packet voice processing module, transfers to switch CPU processing for the identical matched data packet voice of field that data packet messages content and an ACL are configured;
Mismatch data packet voice processing module, the processing of transferring to the overall ACL coming into force at switch all of the port to abandon or deliver CPU for the not identical mismatch data packet voice of field that data packet messages content is configured with an ACL.
Wherein said overall ACL processes and comprises: if the object IP address of described mismatch data packet voice, target MAC (Media Access Control) address and destination slogan are identical with the respective field configuring in overall ACL, abandon described mismatch data packet voice; If the object IP address of described mismatch data packet voice or destination slogan are not identical with the respective field configuring in overall ACL, and be protocol massages, transfer to switch CPU to process described mismatch data packet voice.
In addition, the present invention also comprises and forbids repeatedly inputting user cipher module, for utilizing the 2nd ACL to carry out matching treatment to the data packet messages of repeatedly inputting user cipher, the data packet messages that packet discard message content mates completely with the field configuring in the 2nd ACL.
Owing to having adopted technique scheme, therefore invention has the following advantages:
1) ACL asic chip being realized is for the protocol data-flow of access control CPU, and multiple fields that can matching message, therefore realize flexibly, and seek rate is fast;
2) can effectively reduce CPU flow, thereby reduce the occupancy to cpu resource, reduce the requirement to network equipment CPU disposal ability.
Below in conjunction with accompanying drawing, the present invention is described in detail.
Brief description of the drawings
Fig. 1 is the schematic diagram of the device of overall ACL restricting remote access of switcher of the present invention;
Fig. 2 is the schematic diagram of the upper Hash storage list of preserving of switch flash of the present invention;
Fig. 3 is the synchronous configuration of the inventive method and the flow chart of writing asic chip list item;
Fig. 4 is after receiving message on port, the process chart of the ACL of chip to message.
Embodiment
Fig. 1 has shown the device of overall ACL restricting remote access of switcher of the present invention, comprising:
Matching treatment module, carries out matching treatment for the data packet messages of utilizing switch the one ACL to receive switch predetermined port;
Matched data packet voice processing module, transfers to switch CPU processing for the identical matched data packet voice of field that data packet messages content and an ACL are configured;
Mismatch data packet voice processing module, the processing of transferring to the overall ACL coming into force at switch all of the port to abandon or deliver switch CPU for the not identical mismatch data packet voice of field that data packet messages content is configured with an ACL.
The one ACL and overall ACL are stored in the Hash storage list of switch, and wherein overall ACL has configured the object IP address identical with an ACL, target MAC (Media Access Control) address and destination slogan, and these fields are copies of an ACL respective field.
Above-mentioned overall ACL processes and comprises: if the object IP address of described mismatch data packet voice, target MAC (Media Access Control) address and destination slogan are identical with the respective field configuring in overall ACL, abandon described mismatch data packet voice; If the object IP address of described mismatch data packet voice or destination slogan are not identical with the respective field configuring in overall ACL, and be protocol massages, transfer to switch CPU to process described mismatch data packet voice.Because protocol massages has specific port numbers, therefore the present invention can pass through the port numbers of identification protocol message, determines protocol massages, is then delivered switch CPU processing.
Device of the present invention also comprises forbids repeatedly inputting user cipher module, it utilizes the 2nd ACL to carry out matching treatment to the data packet messages of repeatedly inputting user cipher, the data packet messages that packet discard message content mates completely with the field configuring in the 2nd ACL.
The field configuring in an above-mentioned ACL comprises: source IP address, object IP address, source MAC, target MAC (Media Access Control) address, VLAN id and destination slogan, wherein source IP address and source MAC obtain by synchronous configuration, come by remote synchronization, and object IP address, target MAC (Media Access Control) address, VLAN id and destination slogan are the intrinsic configurations of switch.
Above-mentioned the 2nd ACL has fixing life span, and the field of its configuration is identical with the field configuring in an ACL, obtain from an ACL copy, but the 2nd ACL does not participate in synchronous configuration.
The method of overall ACL restricting remote access of switcher of the present invention, based on said apparatus, comprises the following steps:
The data packet messages of utilizing an ACL of switch to receive switch predetermined port is carried out matching treatment;
Transfer to switch CPU to process the identical matched data packet voice of field configuring in data packet messages content and an ACL; Or
The processing of transferring to the overall ACL coming into force at switch all of the port to abandon or deliver switch CPU mismatch data packet voice not identical with the field configuring in an ACL data packet messages content.
The processing that overall situation ACL carries out comprises: if the object IP address of described mismatch data packet voice, target MAC (Media Access Control) address and destination slogan are identical with the respective field configuring in overall ACL, make discard processing; If the object IP address of described mismatch data packet voice or destination slogan are not identical with the respective field configuring in overall ACL and be protocol massages, transfer to switch CPU to process described mismatch data packet voice.
For fear of forwarding the data packet messages of repeatedly inputting user cipher, the present invention is for the data packet messages of repeatedly inputting user cipher, utilize the 2nd ACL to carry out matching treatment, the data packet messages that packet discard message content mates completely with the field configuring in the 2nd ACL.
An ACL in Dynamic Maintenance switch of the present invention, abandon and an ACL who forbids that remote access source address is relevant, add an ACL relevant with allowing remote access source address, for this reason, switch of the present invention timing (comprise each start or restart) is to source IP address and the source MAC of the synchronous remote access message of preassigned gateway in network, then by by the source IP address of synchronously coming, VLANid in the Hash storage list of source MAC and switch, object IP address, target MAC (Media Access Control) address, port numbers combines synchronously and is configured, and calculate synchronous configuration index.
Then, switch compares the ACL index calculating according to the object source IP address, object IP address, source MAC, target MAC (Media Access Control) address, VLAN id and the destination slogan that configure in an ACL of correspondence with the described configuration index of synchronizeing, and carries out following operation according to comparative result:
If synchronous configuration index is identical with an ACL index, keep a corresponding ACL;
If synchronous configuration index is different from an ACL index, change a corresponding ACL.
When synchronous configuration index is from a corresponding ACL index when different, switch is carried out following concrete operations:
If synchronous source IP addresses excessively and source MAC are the source addresses of a new data packets message, by copy described synchronous configuration on switch Hash storage list, add the ACL about described new data packets message, and bind it on port;
If the source IP address of synchronously coming and source MAC are empty, remove corresponding ACL binding from port, then delete this corresponding ACL from the asic chip of switch.That is to say, in the time not having corresponding to the source IP address in ACL and source MAC in synchronous configuration, mean and do not allow the switch with this source address to carry out remote access, therefore must delete the ACL about this switch.
Switch of the present invention need to configure three layer interface IP addresses, and this IP address binding is upper to VLAN, once switch three layer interfaces come into force, switch just adds to using switch mac address as static mac address in the two-layer retransmitting table of switch.
Fig. 2 is the upper Hash storage list of preserving of the switch flash of the inventive method, and a line representative of this storage list is corresponding to an ACL of a packet.For certain packet that needs forward process, while tabling look-up, first calculate the Hash index of each field that the synchronous configuration hash index (index) that synchronously comes and current ACL configure, if both are identical, do not revise the content of list item; Different if (were generally and occurred a new data packets), the content of the config update ACL list item that use is synchronously come; If find this hash index (there is no source IP address and source MAC) not of the storage list of synchronously coming, illustrate that this list item is deleted, remove the content of corresponding hash index list item.
Such as, if the source MAC of configuration part has become mac4 from mac1, the index calculating.After doing xor operation with the index storing in original flash, find to change., corresponding source object MAC, the configurations such as vlan id are all write in flash, cover this original index
If the configuration of synchronously coming, finding has this index in original flash, and in the configuration of synchronously coming, there is no this index, thinks that this list item deletes, and corresponding a line is configured and all deleted.
Fig. 3 has shown the synchronous configuration of the inventive method and has write the flow process of asic chip list item:
Step 201: after switch is started shooting for the first time or is restarted, need to be to source IP address, the source MAC of the synchronous access of trusted remote once of preassigned gateway in network.If synchronous for the first time, need one of the random delay time in 10 minutes, later more subsynchronous with regard to 10 minutes once.This cycle can configure, and is defaulted as 10 minutes, enters step 202;
Step 202: by the configuration of synchronously coming, add the VLAN id of switch three layer interfaces, IP address, MAC Address and port numbers, calculate a synchronous configuration hash index according to hash algorithm, enters step 203;
Step 203: according to tabling look-up, synchronously configure comparing of hash index and former hash index, if hash index changes, enter the flow process of the interpolation ACL list item of step 207; If hash index does not exist, enter the flow process of the deletion ACL list item of step 204; If hash index does not change, directly enter step 210, chip is not done to any operation, directly wait for next synchronizing process;
Step 204: delete ACL list item, first will, this ACL unbind from port, enter step 205;
Step 205: remove all relevant rules of this ACL list item, enter step 206;
Step 206: remove this No. ACL, the message of any friendship CPU not being processed like this limits, and enters step 210, waits for next synchronizing process;
Step 207: increase ACL list item, all rules of later adding all belong to this ACL table, enter step 208;
Step 208: repeat to add acl rule.If three different transport layer destination interfaces of corresponding three kinds of access modes, each port need to lower two acl rules.
Taking telnet as example, the 1st rule is to only have to match accurately source MAC, target MAC (Media Access Control) address, source IP address, object IP address, VLAN id, and destination slogan is 23, this packet think legal, by the processing of asic chip transmitted to CPU.The 2nd rule comes into force on all ports, if the target MAC (Media Access Control) address of message, object IP address with in chip, configure consistent, and destination slogan is 23, this message abandons operation.
Step 209: this ACL is tied on port, and this ACL comes into effect.Enter step 210;
Step 210: wait the time of setting to arrive, continue synchronous configuration, if synchronously configure unsuccessfully, maintain existing configuration and do not make and change.
Fig. 4 is after receiving message on port, the process chart of the ACL of asic chip to message: after the synchronous configuration successful of switch, reinstated ACL table on interface, the packet that all these ports are received all will filter.
First mated by the first Access Control List (ACL), as previously mentioned, the Article 1 rule of the first Access Control List (ACL) is to send CPU to process legal message, if the content in message is identical with the field configuring in chip, transmitted to CPU processing, if coupling less than, carry out the coupling of next rule.
Article 2 rule is the remote access data bag that abandons this switch of access, and only has the packet that does not match Article 1 rule, thinks that these data are surrounded by illegal IP, MAC, VLANid.
The second Access Control List (ACL) not necessarily exists, and only has and reaches 3 times when the number of times of user name Password Input, just has the second Access Control List (ACL), enables equally on this port.Once coupling, and this rule is also within 24 hours in the term of validity, and message is still dropped.Do not match the message of these ACL, such as icmp packet, tftp message, normal transmitted to CPU processing.
In sum, the technology that realizes of Access Control List (ACL) of the present invention has following characteristics:
(1) first determine the legal source IP address of machine and the list of MAC Address that can remote access network equipment.
(2) switch will be by remote access, first will configure the IP address of three layer interfaces, and this IP address binding to VLAN.Once three layer interfaces come into force, exchange opportunity is added a static mac address in two-layer retransmitting table.
(3) determining the machine that can mutually access with external network in network, can be the gateway that has public network IP address, can be also radius server, manages local area network (LAN).This machine is answered the list of the built-in IP and the MAC that have legal remote access authority, and this machine can connect external network.In order not allow list be caused leakage by network intercepting, this machine of external network remote access all should use the mode of SSH to login and operate.
(4) switch in all these networks, all needs timing to go synchronous this configuration of gateway.In the flash of switch, store source IP address, object IP address, source MAC, target MAC (Media Access Control) address, VLAN id, (wherein, object IP address, VLAN id, target MAC (Media Access Control) address are the configurations of the machine to destination slogan, be kept at internal memory the inside, source MAC and source IP address are synchronously come).Calculate Hash index with the storage mode of Hash, easy-to-look-up.
Object IP address is the IP address of this switch three layer interfaces, and target MAC (Media Access Control) address is the static mac address configuring in above-mentioned (2), and VLAN id is the VLANid that three layer interfaces are bound.Allow IP address and the MAC Address of remote access machine, need switch to be used as source IP address from the synchronous mistake of gateway, source MAC is also write in the flash of switch.Can calculate Hash Index by the MD5 hashing algorithm of present extensive use.Using the advantage of MD5 hashing algorithm is the hash value of the 128bit that calculates, produces the probability that Hash conflicts negligible.
(5) to above-mentioned source IP address, object IP address, VLAN id, with source MAC, target MAC (Media Access Control) address, destination slogan carries out MD5Hash computing, using obtained Hash operation result as the Hash index of tabling look-up.One time computational process is as follows, and hash index can obtain from the md5 value of calculating:
Initialization MD5Init (& md5)
Renewal source IP field MD5Update (& md5, (char*) source-ip, len)
Upgrade object IP field MD5Update (& md5, (char*) dest-ip, len)
Upgrade VLAN id, source MAC, object MAC, destination slogan
Obtain final result MD5Final (& md5) (md5 is wherein exactly final Hashindex)
Next time is after synchronous to source IP address, source MAC configuration, the Hash result calculating with same hash algorithm, if the result of doing xor operation discovery XOR with Hash index is 0, asic chip is not write the operation of hardware table item; If the result of XOR is 1, there is variation in explanation configuration, the list item of original asic chip need to be deleted, again write again the hardware table item of a chip, only, after writing the success of hardware chip list item, just can override original configuration, and using Hash index as the keyword of tabling look-up.
(6) three kinds of remote access transport layer destination slogans altogether: 23,80,161.Respectively corresponding telnet access, web access, SNMP accesses three kinds of modes.Each Hash list item need to descend 6 rules.Every kind of access mode is needed to two rules.Can mate VLAN id for rule, when networking, need last layer switch forward data band VLAN tag out.
For telnet access, the 1st rule is to only have to match accurately source MAC, target MAC (Media Access Control) address, source IP address, object IP address, VLAN id, and destination slogan is 23, this packet think legal, by the processing of asic chip transmitted to CPU.The 2nd rule is that overall ACL (has configured the target MAC (Media Access Control) address identical with an ACL, object IP address, destination slogan), on all ports, come into force, if the target MAC (Media Access Control) address of message, object IP address with in chip, configure consistent, and destination slogan is 23, this message abandons operation.Once because the feature of the coupling of asic chip is to match, carry out corresponding action (forward, abandon transmitted to CPU etc.), search end.Matching the 2nd rule, illustrate that the 1st rule does not mate, is therefore an illegal access message, need to do discard processing.Similar to telnet, Web, SNMP access mode has occupied respectively the rule of 3-6.
And the protocol massages that should be processed by CPU normally, such as 802.1X message identifying, ARP message, icmp packets etc., because destination slogan is not any one in 23,80,161, also can not be dropped.The present invention can, by the port numbers of the above-mentioned protocol massages of identification, deliver protocol massages to switch CPU processing.
And giving CPU and do the packet of routing forwarding, object MAC is the static MAC of switch three layer interfaces really, but object IP address is not the IP address of switch three layer interfaces, so also can not filtered out by this acl rule.
(7) if legal messages transmitted to CPU means that long-range machine has obtained the authority of Lawful access.If the user name of user's input, password is by the local or long-range radius certification of switch, and the number of times of attempting reaches 3 times, and the trap message that sends SNMPv2 by webmaster is to NM server, wrong user name, cipher feedback is reported to the police to NM server.At the local log recording source IP address of current access errors once, the information such as user name, in order to check later simultaneously.In order to prevent disabled user's repeated attempt password, need next acl rule again, this rule can be placed in the second Access Control List (ACL), the second Access Control List (ACL) is after the first Access Control List (ACL), even if the first access list allows message to pass through, the second Access Control List (ACL) is discardable message still.Take out source IP address from the header of packet, source MAC, object MAC is the static mac address of switch, and object IP address is the ACL list item that asic chip is write in the IP address of three layer interfaces of switch, and the message that mates this list item does discard processing.And time-range is set, and after 24 hours, this ACL just lost efficacy.The second Access Control List (ACL) does not participate in configuration synchronization, can, because of switch synchronous configuration and cause the second Access Control List (ACL) to have any change from gateway, only can As time goes on not lose efficacy.The ACL realizing with software compares, and need the operation of millions of cpu instructions, and in special disposal network, the asic chip of data flow can easily complete this function, and filtering packets does not need the participation of CPU.
(8) consider and may occur the network failures such as large-area power failure, a large amount of switches go synchronously configuration meeting of gateway to cause very large burden to gateway simultaneously when just start.Design adopts while synchronously configuration for the first time, is the random time within 10 minutes.And be all the cycle of 10 minutes each lock in time, can not cause too large burden to gateway because of the synchronous of while.
According to above technical scheme, adopt the advantage of this invention as follows:
1. effectively reduce CPU flow, thereby reduce the occupancy to cpu resource, reduced the requirement to network equipment CPU disposal ability.
2. the network equipment that generally uses asic chip to realize, as long as support the ACL of Way in, the configuration of VLAN division and three layer interfaces, just can realize this function.The present invention has certain versatility.
3. in the network equipment, realized the function of MAC+ source, source IP+VLAN id binding, made user must use IP address and the specific machine of binding, must not arbitrarily configure again, the reduction network equipment is subjected to the risk of the attack of forging source IP address.
4. can timing synchronously configure from command switch, reduced the complexity of configuration.Adopt Hash mode stored configuration table, search rapidly.
The art personnel will be appreciated that, the scope of application that ACL of the present invention realizes restricting remote access of switcher implementation method is not only confined to use switch networking system, also extend in other network communicating systems that adopt centralized management, the network equipment of some is limited to remote access application scenario.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all any amendments of doing within the spirit and principles in the present invention, are equal to and replace and improve, within all should being included in protection scope of the present invention.
Claims (8)
1. a method for restricting remote access of switcher, is characterized in that, comprises the following steps:
The data packet messages of utilizing an ACL of switch to receive switch predetermined port is carried out matching treatment;
Transfer to switch CPU to process the identical matched data packet voice of field configuring in data packet messages content and an ACL;
Transfer to the overall ACL coming into force at switch all of the port to process mismatch data packet voice not identical with the field configuring in an ACL data packet messages content;
Wherein, the processing that described overall ACL carries out comprises:
If the object IP address of described mismatch data packet voice, target MAC (Media Access Control) address and destination slogan are identical with the respective field configuring in overall ACL, make discard processing;
If the object IP address of described mismatch data packet voice or destination slogan are not identical with the respective field configuring in overall ACL, and be protocol massages, transfer to switch CPU to process described mismatch data packet voice.
2. method according to claim 1, is characterized in that, wherein for the data packet messages of repeatedly inputting user cipher, utilizes the 2nd ACL to carry out matching treatment, the data packet messages that packet discard message content mates completely with the field configuring in the 2nd ACL.
3. method according to claim 1 and 2, it is characterized in that, the field configuring in a wherein said ACL comprises: source IP address, object IP address, source MAC, target MAC (Media Access Control) address, VLAN id and destination slogan, wherein source IP address and source MAC are that remote synchronization is come, and object IP address, target MAC (Media Access Control) address, VLAN id and destination slogan are the intrinsic configurations of switch.
4. method according to claim 3, it is characterized in that, wherein switch timing is to source IP address and the source MAC of the synchronous remote access message of preassigned gateway in network, then by VLANid, object IP address, target MAC (Media Access Control) address, port numbers in the Hash storage list of the source IP address of synchronously coming, source MAC and switch are combined and obtain synchronizeing configuring, and calculate synchronous configuration index.
5. method according to claim 4, it is characterized in that, wherein switch compares the ACL index calculating according to the object source IP address, object IP address, source MAC, target MAC (Media Access Control) address, VLAN id and the destination slogan that configure in an ACL of correspondence with the described configuration index of synchronizeing, and carries out following operation according to comparative result:
If synchronous configuration index is identical with an ACL index, keep a corresponding ACL;
If synchronous configuration index is different from an ACL index, change a corresponding ACL.
6. method according to claim 5, is characterized in that, wherein, when synchronous configuration index is from a corresponding ACL index when different, switch is carried out following operation:
If synchronous source IP addresses excessively and source MAC are the source addresses of a new data packets message, by copy described synchronous configuration on switch Hash storage list, add the ACL about described new data packets message, and bind it on port;
Crossing source IP addresses and source MAC if synchronous is empty, removes corresponding ACL binding from port, then deletes this corresponding ACL from the asic chip of switch.
7. a device for restricting remote access of switcher, is characterized in that comprising:
Matching treatment module, carries out matching treatment for the data packet messages of utilizing switch the one ACL to receive switch predetermined port;
Matched data packet voice processing module, transfers to switch CPU processing for the identical matched data packet voice of field that data packet messages content and an ACL are configured;
Mismatch data packet voice processing module, transfers to the overall ACL coming into force at switch all of the port to process for the not identical mismatch data packet voice of field that data packet messages content is configured with an ACL;
Wherein, described overall ACL processes and comprises:
If the object IP address of described mismatch data packet voice, target MAC (Media Access Control) address and destination slogan are identical with the respective field configuring in overall ACL, abandon described mismatch data packet voice;
If the object IP address of described mismatch data packet voice or destination slogan are not identical with the respective field configuring in overall ACL, and be protocol massages, transfer to switch CPU to process described mismatch data packet voice.
8. device according to claim 7, it is characterized in that, also comprise and forbid repeatedly inputting user cipher module, for utilizing the 2nd ACL to carry out matching treatment to the data packet messages of repeatedly inputting user cipher, the data packet messages that packet discard message content mates completely with the field configuring in the 2nd ACL.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010101673.8A CN101820383B (en) | 2010-01-27 | 2010-01-27 | Method and device for restricting remote access of switcher |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010101673.8A CN101820383B (en) | 2010-01-27 | 2010-01-27 | Method and device for restricting remote access of switcher |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101820383A CN101820383A (en) | 2010-09-01 |
| CN101820383B true CN101820383B (en) | 2014-12-10 |
Family
ID=42655335
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010101673.8A Active CN101820383B (en) | 2010-01-27 | 2010-01-27 | Method and device for restricting remote access of switcher |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101820383B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8614950B2 (en) * | 2010-11-30 | 2013-12-24 | Marvell Israel (M.I.S.L) Ltd. | Load balancing hash computation for network switches |
| CN103716179A (en) * | 2011-03-09 | 2014-04-09 | 成都勤智数码科技股份有限公司 | Telnet/SSH-based network terminal management method |
| CN103377261A (en) * | 2012-04-28 | 2013-10-30 | 瑞昱半导体股份有限公司 | Access control list management device, executive device and method |
| CN105991391A (en) * | 2015-03-03 | 2016-10-05 | 中兴通讯股份有限公司 | Method and device for uploading protocol message to CPU |
| CN107566201B (en) * | 2016-06-30 | 2020-08-25 | 华为技术有限公司 | Message processing method and device |
| CN107634932B (en) * | 2016-07-19 | 2021-07-20 | 中兴通讯股份有限公司 | Message processing method, device and system |
| CN106657126B (en) * | 2017-01-05 | 2019-11-08 | 盛科网络(苏州)有限公司 | The device and method of detection and defending DDoS (Distributed Denial of Service) attacks |
| CN108650237B (en) * | 2018-04-13 | 2020-09-08 | 烽火通信科技股份有限公司 | Message security check method and system based on survival time |
| CN108848034B (en) * | 2018-07-17 | 2021-04-27 | 新华三技术有限公司 | Network equipment and table entry learning method |
| CN110837647B (en) * | 2018-08-16 | 2022-11-08 | 迈普通信技术股份有限公司 | Method and device for managing access control list |
| CN111585791B (en) * | 2020-04-14 | 2022-09-20 | 深圳震有科技股份有限公司 | Data synchronization configuration method, system and storage medium |
| CN114286420B (en) * | 2021-12-21 | 2023-09-05 | 深圳创维数字技术有限公司 | PON technology-based gateway locking method, device, server and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1465014A (en) * | 2001-07-20 | 2003-12-31 | 诺基亚有限公司 | Selective routing of data flows using a tcam |
| CN1567839A (en) * | 2003-06-24 | 2005-01-19 | 华为技术有限公司 | Port based network access control method |
| CN1826591A (en) * | 2003-08-28 | 2006-08-30 | 思科技术公司 | Reverse path forwarding protection |
-
2010
- 2010-01-27 CN CN201010101673.8A patent/CN101820383B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1465014A (en) * | 2001-07-20 | 2003-12-31 | 诺基亚有限公司 | Selective routing of data flows using a tcam |
| CN1567839A (en) * | 2003-06-24 | 2005-01-19 | 华为技术有限公司 | Port based network access control method |
| CN1826591A (en) * | 2003-08-28 | 2006-08-30 | 思科技术公司 | Reverse path forwarding protection |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101820383A (en) | 2010-09-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101820383B (en) | Method and device for restricting remote access of switcher | |
| US10243928B2 (en) | Detection of stale encryption policy by group members | |
| US8631113B2 (en) | Intelligent integrated network security device for high-availability applications | |
| US6154839A (en) | Translating packet addresses based upon a user identifier | |
| US20120311670A1 (en) | System and method for providing source id spoof protection in an infiniband (ib) network | |
| CN116015757A (en) | Enhanced intelligent process control switch port locking | |
| WO2008095010A1 (en) | Secure network switching infrastructure | |
| CN101674306B (en) | Address resolution protocol message processing method and switch | |
| Azzouni et al. | sOFTDP: Secure and efficient topology discovery protocol for SDN | |
| Azzouni et al. | sOFTDP: Secure and efficient OpenFlow topology discovery protocol | |
| US7398394B1 (en) | Method and apparatus for authenticating nodes in a communications network | |
| CN101340440A (en) | Method and apparatus for defending network attack | |
| EP3322148B1 (en) | Apparatus, system, and method for protecting against denial of service attacks using one-time cookies | |
| US20230388339A1 (en) | Secure communication method, apparatus, and system for dc interconnection | |
| Wong et al. | Network infrastructure security | |
| US20150143516A1 (en) | Session hopping | |
| CN102546307B (en) | The method and system realizing proxy arp function is intercepted based on DHCP | |
| US10122686B2 (en) | Method of building a firewall for networked devices | |
| WO2019165235A1 (en) | Secure encrypted network tunnels using osi layer 2 protocol | |
| US20060225141A1 (en) | Unauthorized access searching method and device | |
| JP2023531034A (en) | Service transmission method, device, network equipment and storage medium | |
| Gogineni et al. | MMS: An autonomic network-layer foundation for network management | |
| Cisco | Configuring Network Security | |
| Lee et al. | A comprehensive framework for enhancing security in InfiniBand architecture | |
| US9264496B2 (en) | Session hopping |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20200721 Address after: 210012 Nanjing, Yuhuatai District, South Street, Bauhinia Road, No. 68 Patentee after: Nanjing Zhongxing Software Co.,Ltd. Address before: 518057 Nanshan District Guangdong high tech Industrial Park, South Road, science and technology, ZTE building, Ministry of Justice Patentee before: ZTE Corp. |
|
| TR01 | Transfer of patent right |